How to recover EBS 2008 Messaging server objects after an accidental Active Directory server object deletion

Problem Scenario:

From Customer Support feedback, we have learned that some customers facing a disaster on one of the Essential Business Server 2008 servers will naturally attempt to clean the servers' residue from Active Directory before starting a replacement/recovery. This is not recommended by EBS and will block the recovery solution for EBS Messaging server since EBS relies on preserved computer objects in Active Directory to proceed with replacement and recovery. Without the original computer objects, Exchange Server recovery will not succeed. Creating new computer objects with the same name as the original EBS servers is not an option and the new computer object cannot be used for replacement.

More specifically, we have seen customers who encounter disaster clean up the residue server objects metadata using ntdsutil. Meta data cleanup will remove the ntds settings object, all replication links, server object, etc. from Active Directory. After that, they often proceed to remove the computer object from the domain partition and start replacement in what they believe is a "clean" environment. Currently, our setup expects both the computer object and the ntdsSettings object to be present in Active Directory before it proceeds with recovery, else Exchange recovery during will fail. We have included documentation to prevent users from doing this, but this seems to still be a natural and common mistake.

 Solution:

Any object that is deleted in Active Directory will not instantly disappear, it will instead remain as a TombStoned object in the "Deleted Objects" container of Active Directory. The object will remain there for the tombstone lifetime before it is permanently removed. The Active Directory tombstone lifetime is set to 180 days in EBS 2008 by default.

You can use this feature of Active Directory and first, re-animate the deleted computer object back. The re-animated object will preserve the same GUID, SID, class, SamAccountName, etc. and is effectively the same object, however, a few important attributes will be stripped from it after re-animation. The most important attribute we care about is the group membership attribute (memberOf). Since group membership is a property of the group the object belongs to and not the object itself, this attribute will be lost after reanimation. Hence, after re-animation we will apply the same group memberships to the computer object and proceed with replacement. Depending on the condition of your AD, EBS Messaging replacement may block after domain join, expecting an ntdsSettings server object in the configuration partition. If this happens, simply create a new ntdsSettings object as explained below.

More specifically, this computer object recovery is a three-step process.

1.       Re-animate the old deleted computer object:

There are many references online that explain how to recover an Active Directory object that has been tombstoned. I will not attempt to repeat the process here and instead will just include those references. The thing that you must remember is to restore the computer object back to the location it was at the end of EBS setup, which is in the Domain Controllers OU under the default domain partition.

Use the references below to manually restore the deleted EBS Messaging server.

-          Manually Undeleting Objects in Active Directory

https://www.petri.co.il/manually-undeleting-objects-windows-active-directory-ad.htm

-          Reanimating Active Directory Tombstone Objects

https://technet.microsoft.com/en-us/magazine/2007.09.tombstones.aspx?pr=blog

2.       Reapply the group memberships to the restored computer object:

As mentioned above, group memberships are stripped from the object after reanimations because group membership is an attribute on the group the object belongs to, not on the object. Hence, after the computer object is recovered, it must be decorated with at least the group memberships it had by the end of setup. Applying these group memberships will enable replacement to succeed. These groups are:        

Domain Controllers

Exchange Install Domain Servers

Exchange Servers

SCE Managed Computers (<ServerName>_MG)

Windows Essential Business Servers

 

3.       If replacement blocks expecting an ntdsSettings object under configuration partition, create it. You do not need to restore the original object from tombstone, and can simply create a new one. To do this, use adsiedit and create a new AD object of class nTDSDSA under the location CN=<EBSMessagingServerName>CN=Servers,CN=<SiteName>,CN=Sites,CN=Configuration,DC=<DomainName>,DC=COM.

You do not need to apply any properties or create any replication channels on this new object; DCPromo will take care of all these settings. Note that the above steps can also be used in restoring any non-EBS Exchange server after an accidental deletion of the server object. The only difference is that you will not need to apply the groups that are EBS-specific (step 2 above).

After these steps you are ready to run EBS server replacement.

Good luck restoring …

Alireza Farhangi

Comments

  • Anonymous
    January 01, 2003
    Fantastic look into AD and overview of advanced skills required to manage operations. This would be a great script.